Traffic-flow analysis for source-side DDoS recognition on 5G environments

https://doi.org/10.1016/j.jnca.2019.02.030Get rights and content

Abstract

This paper introduces a novel approach for detecting the participation of a protected network device in flooding-based Distributed Denial of Service attacks. With this purpose, the traffic flows are inspected at source-side looking for discordant behaviors. In contrast to most previous solutions, the proposal assumes the non-stationarity and heterogeneity inherent in the emergent communication environment. In particular, the approach takes advantage of the monitorization and knowledge acquisition capabilities implemented in the SELFNET (H2020-ICT-2014-2/671672) project, which facilitates its implementation as a self-organizing solution on 5G mobile networks. Monitorization, feature extraction and knowledge acquisition tasks are carried out on centralized control plane, hence the proposed architecture minimizes the impact on operational performance and prompts the end-points mobility. The preliminary results observed when considering different metrics, adjustment parameters, and a dataset with traffic observed in 61 real devices proven efficiency when distinguishing normal activities from DDoS behaviors of different intensity. With an optimal granularity selection, the highest AUC reached values close to 1.0 when measured under the most intense attacks, hence demonstrating optimal TPR and FPR relationships by adapting to the instantiated use cases.

Introduction

The significant increase in Distributed Denial of Service (DDoS) attacks registered in the last years has warned the main organizations for cybersecurity (CCN-CERT, 2017), hence posing well-known threats to the information society. A significant example of this problem was observed in October 2016, when the DNS servers of the Dyn provider registered one of the most complex and mediatic DDoS campaigns (Almeida et al., 2017). This resulted in disabling dozens of services, web pages and social networks, some of them related with wide-spreading solutions, for example Twitter, Reddit, Github, Amazon or Spotify. This was achieved by exploiting a vulnerability present in millions of devices of different nature connected to the Internet of Things (IoT) (Bertino and Islam, 2017; Sicari et al., 2018). The threat was orchestrated from a botnet managed by the malware specimen Mirai (Kolias et al., 2017; Antonakakis et al., 2017), and the attack served to aggravate the uncertainty of many users about the safety of their network devices, which as a result of this incident or similar attacks, would ask themselves: are also my end-user or IoT devices taking part of remotely coordinated malicious campaigns? in this case, what are their purposes? to what extent are they contributing? or, how can I prevent such situations?.

Despite the importance of combating these threats by monitoring single source-side devices, this approach has barely been studied by the research community from the point of view of communication networks (Zargar et al., 2013; Yan et al., 2016), whose efforts usually aimed on analyzing network traffic at the intermediate/victim edges of the intrusion, or at deepening into identifying infections by remote control malware, typically related with botnets (Acarali et al., 2016). Fortunately, as a result of the emergence of novel communication network technologies (Software-Defined Networking (SDN), Network Function Virtualization (NFV), etc.) and the recent advances towards consolidating the fifth generation networks (5G) (Gavrilovska et al., 2016), the detection of DDoS attacks by analyzing traffic monitored at source-side acquires a new meaning, now playing an essential role in defining defensive strategies based on Self-Organizing Network (SON) deployments (Maestre Vidal et al., 2018). This requirement contrasts with a bibliography with predominance of obsolete approaches (Yan et al., 2016), that usually do not assume the characteristics expected in future networks, among them high heterogeneity, non-stationarity or reduction of operational expenditures.

In order to contribute to the development of solutions capable of dealing with the aforementioned problems, this paper introduces the FlowSentinel intrusion detection approach. FlowSentinel addresses the challenge of analyzing outbound traffic flows looking for traits of malicious activities, in particular those related with the involvement of a device as source-side of DDoS attempts. The discovery of suspicious activities is driven by estimating the monitored traffic behavior based on the study of aggregated metrics and the elaboration of prediction intervals. When they are surpassed, the discordance is tagged as anomalous, thus being reported as suspicious situations related with malicious resource depletion. With experimental purposes, FlowSentinel was originally built for Android systems. However, when adopting the proper implementation the method is scalable to alternative IoT technologies.

The first FlowSentinel implementation posed a portable solution, where the entire analytics were performed on the device itself, hence allowing users to install and run a defensive application that executed each data processing stage (Dro, 2018a). But due to the heterogeneity and non-stationarity inherent to the traffic output of a single mobile device, which usually relies on the user behavior, the analytics were adapted to changes in the distribution of monitored data, in this way gaining sophistication. Despite their effectiveness, these modifications implied important penalties in terms of quality of user experience, among them significantly CPU, memory and battery consumption. Another requirement of the new generation networks to be borne in mind is the compatibility of the traffic analysis with self-organization schemes, in this way allowing to diagnose the state of the network, making decisions and applying countermeasures without human operator supervision (closed-loop). Because of this, the current version of FlowSentinel has been designed and developed as an anomaly detection framework under the SELFNET project (H2020-ICT-2014-2/671672) (Dro, 2018d), from which inherits monitoring, correlation, analysis and decision-making capabilities. The solution facilitates its adaptation to more sophisticated self-protection approaches. As result, the main contributions of the performed research are:

  • The in-depth review of the flooding-based DDoS landscape and the latest proposals for its mitigation in the bibliography.

  • A novel method for flooding-based DDoS identification by analyzing source-side activities. Aiming on facilitating its interoperability with the emergent communication scenarios, the solution has been adapted to the non-stationarity inherent in large and heterogeneous environments.

  • A detailed description about how the proposal was integrated in an advanced 5G multi-layered architecture for self-protective purposes, that describes a framework for further similar deployments.

  • A labeled dataset for training/evaluation purposes with real traffic captures from 61 devices of different nature. It gathers 72,400 normal traffic samples, and 78,300 samples of flooding-based attacks.

  • An evaluation methodology able to assess the effectiveness of similar proposals.

  • An exhaustive discussion of the achieved results based on different dimensions (attack characterization, family of devices, monitorization granularity, etc.), that aims on facilitating the comparison of our findings with those of future publications

In order to facilitate the understanding of the proposal, the paper has been organized in the following eight sections: Section 1 introduces the DDoS problem and the main motivations of the performed research; Section 2 reviews de main traits of DDoS attacks and the different approaches for their mitigation; Section 3 details the assumed design principles and the FlowSentinel architecture; Section 4 describes the metrics considered at the different data processing stages; Section 5 proposes a novel DDoS detection strategy based on studying traffic flows; Section 6 defines its evaluation methodology; Section 7 discusses the obtained results; and finally, Section 8 presents the conclusions and future work.

Section snippets

Background

The principal traits of the flooding-based Denial of Service attacks and the most relevant countermeasures proposed by the research community are described throughout this section.

Design principles

This section delves into the FlowSentinel design principles reviewing its objectives, assumptions and limitations. It also describes the current FlowSentinel architecture and the strategy for acquiring initial factual knowledge, in this way detailing the procedures for monitoring metric generation and knowledge inference.

Denial of service indicators

Throughout the performed research different levels of information processing have been studied, which entailed the need for extracting very heterogeneous features that facilitate the analysis of the knowledge acquired from the monitored devices, that being analyzed as univariant time series. They are summarized in Table 1 and described throughout this section.

Source-side floding-based DDoS detection

FlowSentinel bases its detection strategy on studying univariate time series built from aggregated metrics, which are deduced from both traffic monitored at the protected devices and collections of reference time series with training and validation purposes (at the performed experimentation, the M3-Competition (Makridakis and Hibon, 2000) dataset). To this end, three major data processing stages are distinguished: Training, Adaptive Prediction and Decision-making (see Fig. 2). At Training

Experimentation

In order to assess the effectiveness of FlowSentinel, different experiments have been conducted on traffic traces monitored from end-point devices of different nature. The gathered sample collection and the applied experimentation methodology are described below.

Results and discussion

The following describes and discusses the obtained results when varying the data granularity, usage mode of the inspected devices and attack intensity.

Conclusions

This contribution revealed a research line aimed on detecting flooding-based DDoS attacks by analyzing source-side traffic flows from protected devices, in this way supporting the development of defensive SON solutions grounded on endpoint monitorization. To this end, an autonomic architecture with operability on the emerging communication networks and a novel intrusion detection approach adaptable to non-stationary processes, were introduced. Their effectiveness has been proven at an extensive

Acknowledgements

The authors want to thank the support of the SELFNET (A Framework for Self-Organized Network Management in Virtualized and Software Defined Networks) project, which was funded by the European Commission Horizon 2020 Programme under Grant Agreement number H2020-ICT-2014-2/671672.

Marco Antonio Sotelo Monge holds a Bsc. in Computer Science Engineering degree from the Universidad Continental (Peru) and M.Sc. in Computer Science from the Universidad Complutense de Madrid (Spain). He is PhD in Computer Science from the same university. He is working as a full-time Researcher for the Group of Analysis, Security and Systems (GASS) at UCM. He is currently participant in the European projects SELFNET (H2020-ICT-2014-2/671672) and RAMSES (H2020-FCT-04-2015/700326). His main

References (112)

  • D. Goldberg et al.

    A comparative analysis of selection schemes used in genetic algorithms

    Found. Genet. Algorithms

    (1991)
  • M. Imran et al.

    Toward an optimal solution against denial of service attacks in software defined networks

    Future Gener. Comput. Syst.

    (2019)
  • A. Kamrani et al.

    A genetic algorithm methodology for data mining & intelligent knowledge acquisition

    Int. J. Forecast.

    (2001)
  • A. Kiremire et al.

    Using network motifs to investigate the influence of network topology on PPM-based IP traceback schemes

    Comput. Network.

    (2014)
  • D. MacFarland et al.

    The best bang for the byte: characterizing the potential of DNS amplification attacks

    Comput. Network.

    (2017)
  • O. Markelov et al.

    Statistical modeling of the Internet traffic dynamics: to which extent do we need long-term correlations?

    Phys. A Stat. Mech. Appl.

    (2017)
  • M. Masugi

    Applying a recurrence plot scheme to analyze non-stationary transition patterns of IP-network traffic

    Commun. Nonlinear Sci. Numer. Simul.

    (2009)
  • P. Mendes

    Combining data naming and context awareness for pervasive networks

    J. Netw. Comput. Appl.

    (2015)
  • P. Neves et al.

    Future mode of operations for 5g: the selfnet approach enabled by sdn/nfv

    Comput. Stand. Interfac.

    (2017)
  • I. Ozcelik et al.

    Deceiving entropy based DoS detection

    Comput. Secur.

    (2015)
  • L. Rutkowski et al.

    The CART decision tree for mining data streams

    Inf. Sci.

    (2014)
  • K. Sahoo et al.

    An early detection of low rate ddos attack to sdn based data center networks using information distance metrics

    Future Gener. Comput. Syst.

    (2018)
  • A. Saied et al.

    Detection of known and unknown DDoS attacks using Artificial Neural Networks

    Neurocomputing

    (2016)
  • M. Semerci et al.

    An intelligent cyber security system against ddos attacks in sip networks

    Comput. Network.

    (2018)
  • S. Sicari et al.

    Reato: reacting to denial of service attacks in the internet of things

    Comput. Network.

    (2018)
  • Z. Su et al.

    CeMon: a cost-effective flow monitoring system in software defined networks

    Comput. Network.

    (2015)
  • Z. Wang

    An elastic and resiliency defense against ddos attacks on the critical dns authoritative infrastructure

    J. Comput. Syst. Sci.

    (2019)
  • M. Agiwal et al.

    Next generation 5G wireless networks: a comprehensive survey

    IEEE Commun. Surv. Tutor.

    (2016)
  • N. Alenezi et al.

    Uniform DoS traceback

    Comput. Secur.

    (2014)
  • V. Almeida et al.

    Cyberwarfare and digital governance

    IEEE Internet Comput.

    (2017)
  • A. Aly et al.

    A reevaluation of the adaptive exponentially weighted moving average control chart when parameters are estimated

    Qual. Reliab. Eng. Int.

    (2015)
  • M. Antonakakis et al.

    Understanding the Mirai botnet

  • L. Bantis et al.

    Construction of confidence regions in the ROC space after the estimation of the optimal Youden index-based cut-off point

    Biometrics

    (2014)
  • E. Bertino et al.

    Botnets and internet of things security

    Computers

    (2017)
  • R. Braga et al.

    Lightweight ddos flooding attack detection using nox/openflow

  • L. Breiman

    Random forests

    Mach. Learn.

    (2001)
  • R. Brown

    Exponential smoothing for predicting demand

    Oper. Res.

    (1957)
  • CCN-CERT

    IA-16/17 CyberThreats-Trends

    (2017)
  • Y. Cheung et al.

    Lag order and critical values of the augmented Dickey-Fuller test

    J. Bus. Econ. Stat.

    (1995)
  • P. Demestichas et al.

    5G on the horizon: key challenges for the radio-access network

    IEEE Veh. Technol. Mag.

    (2013)
  • G. Ditzler et al.

    Learning in nonstationary environments: a survey

    IEEE Comput. Intell. Mag.

    (2015)
  • Open Source Software for Creating Private and Public Clouds

    (2015)
  • Open vSwitch

    (2015)
  • Opendaylight TSDR

    (2015)
  • TSFRESH: Time Series Feature Extraction Based on Scalable Hypothesis Tests

    (2015)
  • 5g Ppp Architecture Working Group View on 5g Architecture

    (2017)
  • Low Orbit Ion Cannon (LOIC)

    (2017)
  • WarChild DoS Test Suit

    (2017)
  • DroidSentinel

    (2018)
  • Internet Noise

    (2018)
  • Cited by (35)

    • A node trust factor linked privacy preservation model in 5G networks with a multi-stage authentication model

      2022, Optik
      Citation Excerpt :

      Then several articles have proposed several models as that help identify and mitigate the DoS attack, but no protection method is proposed to authenticate the resource in the network. Then the defense system is deployed to protect the users, tenant, and their infrastructure by deploying multiple tenant networks and providing services to the network's edge [16–20]. In some of the research, identification and detection models are proposed, and they need an automated loop, and they consider either identification or detection of DoS attacks.

    • DFMS: Differential flow management scheme for denial of service impact mitigation in 5G communications

      2022, Journal of King Saud University - Computer and Information Sciences
      Citation Excerpt :

      It is reliable for Mobile Edge computing both the architectural design and data models. Monge et al. (Monge et al., 2019) developed a Source side DDoS recognition on a 5G environment for evaluating the traffic-flow. The modeled work is done on non-stationary and heterogeneity inherent in the developing communication environment.

    • Adaptable feature-selecting and threshold-moving complete autoencoder for DDoS flood attack mitigation

      2020, Journal of Information Security and Applications
      Citation Excerpt :

      The majority of presented systems concentrate on providing solutions at the third party or the victim’s location, which may cause a delay. However, a novel DDoS mitigation system focuses on monitoring the source of the attack by analysing outbound traffic flows looking for anomaly behaviours [13], reducing the growth of the DDoS attacks. This type of mitigation system is efficient, but the system has to be widely deployed, which may take some time before that happens.

    View all citing articles on Scopus

    Marco Antonio Sotelo Monge holds a Bsc. in Computer Science Engineering degree from the Universidad Continental (Peru) and M.Sc. in Computer Science from the Universidad Complutense de Madrid (Spain). He is PhD in Computer Science from the same university. He is working as a full-time Researcher for the Group of Analysis, Security and Systems (GASS) at UCM. He is currently participant in the European projects SELFNET (H2020-ICT-2014-2/671672) and RAMSES (H2020-FCT-04-2015/700326). His main research interests are 5G, SDN/NFV, artificial intelligence and information security.

    Andrés Herranz González was graduated in Computer Engineering by Universidad Complutense de Madrid (Spain) in 2018. He is passionate about artificial intelligence, data science and researcher. During the last year in the university, while he has been working in the Innovation area of Everis (NTT Data), he has been collaborating in the research group GASS in the SELFNET (H2020-ICT-2014-2/671672) European project with the Department of Software Engineering and Artificial Intelligence (DISIA) of the Universidad Complutense de Madrid.

    Borja Lorenzo Fernández graduated in Computer Science Engineering degree by Universidad Complutense de Madrid (Spain) in 2018. Interested in computer security, research and hacking. Actually, he collaborates with the research group GASS in the SELFNET (H2020-ICT-2014-2/671672) European project at the Department of Software Engineering and Artificial Intelligence (DISIA) of the Universidad Complutense de Madrid. Simultaneously he is obtaining professional experience as an auditor in the Hacking Department at Innotec system (Entelgy).

    Diego Maestre Vidal is studying his last year in Computer Science Engineering degree by Universidad Complutense de Madrid (Spain). He is collaborating with group GASS in the project SELFNET (H2020-ICT-2014-2/671672), he also got a degree of Administration of Systems and Networks. Since 2017, he is lecturer on Logix5 Smart Solutions. His main research interests are Network Security, Artificial Intelligence and Patter Recognition.

    Guillermo Rius García graduated in the Bachelor Program in Computer Science Engineering at Universidad Complutense de Madrid in 2018, where he co-authored a degree dissertation which awarded him several prizes by reputed consulting companies such as Management Solutions and Sopra Steria. He further complemented his academic background with his collaboration with research group GASS at the Department of Software Engineering and Artificial Intelligence (DISIA), from the Faculty of Computer Science and Engineering at Universidad Complutense de Madrid, where he participated as fellow researcher in SELFNET (H2020-ICT-2014-2/671672) European project. Additionally, he currently combines his research activity at the aforementioned research group with his professional life at INDRA transportation department, where he works as data scientist.

    Jorge Maestre Vidal (https://jmaestrevidal.com) is Senior Specialist in Cybersecurity (senior researcher) at Indra, and member of the the Department of Software Engineering and Artificial Intelligence (DISIA) of the Faculty of Computer Science and Engineering at the Complutense University of Madrid (UCM), Spain. He received a Computer Science Engineering degree from the UCM in 2012, master degree in Research in Computer Science in 2013, and PhD in Computer Science in 2018. In 2016 he was Visiting Research at Instituto de Telecomunicações (IT), Aveiro, Portugal. His academic experience includes teaching and direction of final degrees projects. In addition, he participated in projects funded by private organizations (Banco Santander, Safelayer Secure Communications S.A., etc.) and public institutions (EDA, FP7, Horizon 2020, Plan Nacional de I + D + i, Spanish Ministry of Defense, etc.). He was recently participant in the European projects SELFNET (H2020-ICT-2014-2/671672) and RAMSES (H2020-FCT-04-2015/700326), and he is an occasional collaborator with the 5G-PPP Security WG. His main research interests are Artificial Intelligence, Information Security and the emerging Communication Technologies, where he has significant background proved by publications in several research journals (Knowledge-Based Systems, Swarm and Evolutionary Computation, Journal of Network and Computer Applications, etc.), conferences (ARES, EuroS&P, ICIT, RAID, etc.), participation at international research projects (H2020, COST, CYTED), experience as peer-reviewer (Elsevier, MDPI, IEEE, Adelaide, etc.) and member of different organizing/technical committees (ICSP-AS, SDN-NGAS, ICQNM, AIR, etc.). He is also evaluator of the National Fund for Scientific and Technological Development (FONDECYT) of the Chilean National Commission for Scientific and Technological Research (CONICYT).

    View full text